Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
22 commits
Select commit Hold shift + click to select a range
954085c
Add introduction section
jeremycaine May 15, 2026
31b52dd
Add scope diagrams section with C4 Level 1 and Level 2 diagrams
jeremycaine May 15, 2026
0a39c38
Update lws10-core/index.html
jeremycaine Jun 11, 2026
cf9be25
Update lws10-core/index.html
jeremycaine Jun 11, 2026
4ada3f2
Update lws10-core/index.html
jeremycaine Jun 11, 2026
8f7c768
Update lws10-core/index.html
jeremycaine Jun 11, 2026
25cdda7
Update lws10-core/index.html
jeremycaine Jun 11, 2026
1e1ea84
Update lws10-core/index.html
jeremycaine Jun 27, 2026
685d6fb
Update lws10-core/index.html
jeremycaine Jun 29, 2026
aba265c
Update lws10-core/diagrams/fig-2-container-diagram.md
jeremycaine Jun 29, 2026
99e8716
Restore missing content in lws10-core/index.html
jeremycaine Jun 30, 2026
abca902
Merge branch 'scope-diagrams' of https://github.com/jeremycaine/lws-p…
jeremycaine Jun 30, 2026
810e52e
Restore missing content
jeremycaine Jun 30, 2026
3187ac4
Merge branch 'introduction-section' of https://github.com/jeremycaine…
jeremycaine Jun 30, 2026
29ece08
edits in response to comments
jeremycaine Jul 6, 2026
624685f
corrected identtity server scope
jeremycaine Jul 7, 2026
66c4303
reworked diagrams using LikeC4 and markdown descriptions of each
jeremycaine Jul 10, 2026
457cfc8
updated core index.html to show diagrams
jeremycaine Jul 10, 2026
7fe9a79
updated core index.html with table text of diagram elements
jeremycaine Jul 10, 2026
ccafd9d
Merge branch 'main' into introduction-section
jeremycaine Jul 13, 2026
c6295b9
Merge branch 'introduction-section' of https://github.com/jeremycaine…
jeremycaine Jul 14, 2026
da07c8f
updated diagrams for agent
jeremycaine Jul 14, 2026
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added lws10-core/diagrams/fig1-system-context.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added lws10-core/diagrams/fig2-container-diagram.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added lws10-core/diagrams/fig4-resource-hierarchy.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
64 changes: 64 additions & 0 deletions lws10-core/diagrams/figures.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# Figures

A set of composition diagrams that models the [Linked Web Storage Protocol](https://w3c.github.io/lws-protocol/lws10-core/) specification.

## Figure 1 - System Context Diagram

Shows the LWS System as a single unit and the person who uses it. Establishes scope only — no internal structure is shown.

![Fig. 1 - System Context](./fig1-system-context.png)

| Box | Description |
|---|---|
| Agent | An agent of the LWS system |
| LWS System | A system that implements the LWS Protocol |

## Figure 2 - Container Diagram

Breaks the LWS System into its primary elements.

![Fig. 2 - Container](./fig2-container-diagram.png)

| Box | Description |
|---|---|
| Agent | An agent of the LWS system |
| LWS System | A system that implements the LWS Protocol |
| LWS Client | An HTTP client that complies with the LWS Protocol |
| LWS Server | An HTTP server that complies with the LWS Protocol |

## Figure 3 - LWS Server Component Diagram

Decomposition of the LWS Server into components and their responsibilities from client request to storage access.

![Fig. 3 - LWS Server Component](./fig3-lws-server-components.png)

| Box | Description |
|---|---|
| LWS Client | An HTTP client that complies with the LWS Protocol |
| LWS Server | An HTTP server that complies with the LWS Protocol |
| Resource Manager | Manages data resources, containers, containment and linksets |
| Authentication | Validates credentials against the identity provider |
| Authorization | Enforces resource manager access decisions |
| Storage Controller | Controls all resources in the storage directed by its client resource-manager |
| Identity Provider | Confirms user identity and issues signed credentials. MAY be an external system |
| Storage | A set of hierarchically organized HTTP resources managed per LWS conventions |

## Figure 4 - LWS Resource Type Hierarchy

The resource type taxonomy and relationship defined in the specification's Terminology section.

![Fig. 4 - Resource Type Hierarchy](./fig4-resource-hierarchy.png)

| Box | Description |
|---|---|
| Resource Manager | Manages data resources, containers, containment and linksets |
| Storage | A set of hierarchically organized HTTP resources managed per LWS conventions |
| LWS Resource | An HTTP resource that supports the read operations defined by LWS |
| Container | An LWS resource able to enumerate a collection of LWS resources; may recursively contain other containers |
| Data Resource | A data-bearing LWS resource such as a document, image, or structured information |
| Auxiliary Resource | An LWS resource whose lifetime is bound to a primary resource |
| Linkset Resource | An auxiliary resource conforming to RFC9264 |
| Metadata Resource | An auxiliary resource, managed by a storage, that describes an LWS resource |
| Storage Root | The container at the root of a containment hierarchy of a storage |
| Storage Description | Enumerates the storage root and the services/capabilities of a storage |

Binary file added lws10-core/diagrams/index.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
161 changes: 161 additions & 0 deletions lws10-core/diagrams/lws10-core.c4
Original file line number Diff line number Diff line change
@@ -0,0 +1,161 @@
specification {
element actor {
style {
shape person
color amber
}
}
element system {
style {
color blue
opacity 30%
}
}
element externalSystem {
style {
color secondary
opacity 30%
}
}
element component

element resource {
style {
shape document
color indigo
}
}

relationship isA {
color gray
line dashed
head none
}
relationship contains {
color gray
head diamond
}
relationship boundTo {
color gray
line dotted
head none
}
relationship describes {
color gray
line dotted
}
relationship manages

tag optional
}

model {
agent = actor 'Agent' {
description 'An agent of the LWS system'
}

lws = system 'LWS System' {
description 'A system that implements the LWS Protocol'
component lws-client 'LWS Client' {
description 'An HTTP client that complies with the LWS Protocol'
}
component lws-server 'LWS Server' {
description 'An HTTP server that complies with the LWS Protocol'

component identity-provider 'Identity Provider' {
#optional
description 'Confirms user identity and issues signed credentials. MAY be an external system'
}
component resource-manager 'Resource Manager' {
description 'Manages data resources, containers, containment and linksets'
}
component authentication 'Authentication' {
description 'Validates credentials against the identity provider'
}
component authorization 'Authorization' {
description 'Enforces resource manager access decisions'
}
component storage 'Storage' {
description 'A set of hierarchically organized HTTP resources managed per LWS conventions'

lws-resource = resource 'LWS Resource' {
description 'An HTTP resource that supports the read operations defined by LWS'
}
container = resource 'Container' {
description 'An LWS resource able to enumerate a collection of LWS resources; may recursively contain other containers'
}
data-resource = resource 'Data Resource' {
description 'A data-bearing LWS resource such as a document, image, or structured information'
}
auxiliary-resource = resource 'Auxiliary Resource' {
description 'An LWS resource whose lifetime is bound to a primary resource'
}
linkset-resource = resource 'Linkset Resource' {
description 'An auxiliary resource conforming to RFC9264'
}
metadata-resource = resource 'Metadata Resource' {
description 'An auxiliary resource, managed by a storage, that describes an LWS resource'
}
storage-root = resource 'Storage Root' {
description 'The container at the root of a containment hierarchy of a storage'
}
storage-description = resource 'Storage Description' {
description 'Enumerates the storage root and the services/capabilities of a storage'
}

container -[isA]-> lws-resource
data-resource -[isA]-> lws-resource
auxiliary-resource -[isA]-> lws-resource
linkset-resource -[isA]-> auxiliary-resource
metadata-resource -[isA]-> auxiliary-resource
storage-root -[isA]-> container
storage-description -[isA]-> lws-resource

container -[contains]-> data-resource 'contains'

auxiliary-resource -[boundTo]-> lws-resource 'bound to primary resource'
metadata-resource -[describes]-> lws-resource 'describes'
storage-description -[describes]-> storage-root 'enumerates & describes'
}

component storage-controller 'Storage Controller' {
description 'Controls all resources in the storage directed by its client resource-manager'
}
}

agent -> lws-client 'agent requests'
lws-client -> lws-server 'HTTP requests'
lws-client -> identity-provider 'authenticates'
lws-client -> resource-manager 'sends request'
resource-manager -> authentication 'authenticates request'
authentication -> identity-provider 'validates credentials'

@elf-pavlik elf-pavlik Jul 10, 2026

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

My comment is mostly about this interaction. In general case this happesn between Authorization Server of the Resource Owner and the IdP of the End-user. Showing it as 'internal' to the LWS Server can bring confusion instead of clarifying it.

You can see Step 10 and after on https://elf-pavlik.github.io/lws-auth/view/oidc/?dynamic=sequence
And F5 & F6 on https://github.com/hackers4peace/likec4-example-customization/blob/4542f2b7edc20549bbf2f856483dccc94a7bdb0f/likec4/lws.c4#L54-L55

resource-manager -> authorization 'checks permission'
resource-manager -> storage-controller 'acts as client to'
storage-controller -> storage 'controls'
resource-manager -[manages]-> storage-root 'manages'
}
}

views {
view fig1-system-context {
title 'System Context Diagram'
include agent, lws
}

view fig2-container-diagram of lws {
title 'Container Diagram'
include *
}

view fig3-lws-server-components of lws-server {
title 'LWS Server Component Diagram'
autoLayout TopBottom
include *
}

view fig4-resource-hierarchy of storage {
title 'LWS Resource Type Hierarchy'
autoLayout LeftRight
include *
}
}
134 changes: 130 additions & 4 deletions lws10-core/index.html
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,29 @@ <h2>Document Conventions</h2>
<section id="introduction">
<h2>Introduction</h2>
<p>
This specification defines the Linked Web Storage (LWS) Protocol, which enables client applications to access and manage web resources stored externally, based on the identity and permissions of the user.
</p>
<p>
By standardising how an LWS server manages and provides access to a hierarchy of linked resources, the protocol enables users to use different LWS client applications to interact with the same stored data. These linked resources are defined through containers and containment relationships that describe where things are located, and metadata that describes how the resources relate to each other.
</p>
<p>
The protocol defines standard operations on these resources to create, read, update, and delete. Resources, their containment, and their metadata are managed by the server as a set of JSON-LD documents (and other representations). Each resource is identified by a URI. A client navigates the resource hierarchy from a root container, discovering contained resources and their relations through links provided in server responses.
</p>
<p>
A user's identity is confirmed through an identity provider that can be external to the Linked Web Storage server. This separation means the server does not manage credentials directly; rather, it receives and validates a signed authentication credential as a token issued by a trusted identity provider. A user can therefore present their existing identity to any compliant server, without needing a new or existing separate account on that server. User authentication is defined in companion specifications for OpenID Connect, SAML 2.0, and self-signed controlled identifiers (CIDs).
</p>
<p>
Authorization determines whether a requesting user has permission to access a resource or perform an operation on it. A compliant LWS server designates a resource manager for each resource that determines whether a resource is private (i.e., available only to its owner), restricted (i.e., available to a defined set of users), or public (i.e., available to any user). The server enforces the access decisions of the resource manager when handling each client request.
</p>
<p>This specification is intended to be used by:</p>
<ul>
<li>Developers building client applications that access a user's LWS resources</li>
<li>Server implementers building compliant LWS servers that mediate access to a user's web resources</li>
</ul>
<p>
Different compliant servers each maintain their own hierarchy of linked resources. A user can navigate across servers using the same identity, with access to each server's resources determined by the permissions granted by that servers resource managers.
</p>


<section id="resource-access">
<h2>Resource Access</h2>
Expand Down Expand Up @@ -155,11 +177,115 @@ <h2>Security and Privacy</h2>
</p>

<p>
A <dfn>LWS Client</dfn> is an HTTP client [[!rfc9112]] that complies with all of the relevant "MUST" statements in this specification. Specifically, the relevant normative "MUST" statements in <a href="#operations"></a> of this document MUST be respected.
An <dfn>LWS Client</dfn> is an HTTP client [[!rfc9112]] that complies with all of the relevant "MUST" statements in this specification. Specifically, the relevant normative "MUST" statements in <a href="#operations"></a> of this document MUST be respected.
</p>
</section>
</section>

<section id="scope-diagrams"> <!-- becomes 2.4 Scope Diagrams -->
<h2>Scope Diagrams</h2>
<p>
The following diagrams are platform-independent models
to guide implementation.
</p>
<p>
Figure 1 System Context shows the LWS System as a single unit and the person who uses it.
</p>
<figure id="fig-1-system-context">
<img src="diagrams/fig1-system-context.png"
alt="Figure 1 System Context shows the LWS System as a single unit and the person who uses it."/>
<figcaption>System Context (C4 Level 1)</figcaption>
</figure>
<p>
<table>
<thead>
<tr><th>Box</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td>LWS User</td><td>A user of the LWS system</td></tr>
<tr><td>LWS System</td><td>A system that implements the LWS Protocol</td></tr>
</tbody>
</table>
</p>

<p>
Figure 2 Container Diagram breaks the LWS System into its primary elements.
</p>
<figure id="fig-2-container-diagram">
<img src="diagrams/fig2-container-diagram.png"
alt="Figure 2 Container Diagram breaks the LWS System into its primary elements."/>
<figcaption>Container diagram (C4 Level 2)</figcaption>
</figure>
<p>
<table>
<thead>
<tr><th>Box</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td>LWS User</td><td>A user of the LWS system</td></tr>
<tr><td>LWS System</td><td>A system that implements the LWS Protocol</td></tr>
<tr><td>LWS Client</td><td>An HTTP client that complies with the LWS Protocol</td></tr>
<tr><td>LWS Server</td><td>An HTTP server that complies with the LWS Protocol</td></tr>
</tbody>
</table>
</p>

<p>
Figure 3 Component Diagram decomposition of the LWS Server into components and their responsibilities from client request to storage access.
</p>
<figure id="fig-3-lws-server-components">
<img src="diagrams/fig3-lws-server-components.png"
alt="Figure 3 Component Diagram decomposition of the LWS Server into components and their responsibilities from client request to storage access."/>
<figcaption>Component diagram (C4 Level 3)</figcaption>
</figure>
<p>
<table>
<thead>
<tr><th>Box</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td>LWS Client</td><td>An HTTP client that complies with the LWS Protocol</td></tr>
<tr><td>LWS Server</td><td>An HTTP server that complies with the LWS Protocol</td></tr>
<tr><td>Resource Manager</td><td>Manages data resources, containers, containment and linksets</td></tr>
<tr><td>Authentication</td><td>Validates credentials against the identity provider</td></tr>
<tr><td>Authorization</td><td>Enforces resource manager access decisions</td></tr>
<tr><td>Storage Controller</td><td>Controls all resources in the storage, directed by its client resource-manager</td></tr>
<tr><td>Identity Provider</td><td>Confirms user identity and issues signed credentials. MAY be an external system</td></tr>
<tr><td>Storage</td><td>A set of hierarchically organized HTTP resources managed per LWS conventions</td></tr>
</tbody>
</table>
</p>

<p>
Figure 4 Resource Types show taxonomy and relationship defined in the specification's Terminology section.
</p>
<figure id="fig-4-resource-hierarchy">
<img src="diagrams/fig4-resource-hierarchy.png"
alt="Figure 4 Resource Types show taxonomy and relationship defined in the specification's Terminology section."/>
<figcaption>Resource hierarchy</figcaption>
</figure>
<p>
<table>
<thead>
<tr><th>Box</th><th>Description</th></tr>
</thead>
<tbody>
<tr><td>Resource Manager</td><td>Manages data resources, containers, containment and linksets</td></tr>
<tr><td>Storage</td><td>A set of hierarchically organized HTTP resources managed per LWS conventions</td></tr>
<tr><td>LWS Resource</td><td>An HTTP resource that supports the read operations defined by LWS</td></tr>
<tr><td>Container</td><td>An LWS resource able to enumerate a collection of LWS resources; may recursively contain other containers</td></tr>
<tr><td>Data Resource</td><td>A data-bearing LWS resource such as a document, image, or structured information</td></tr>
<tr><td>Auxiliary Resource</td><td>An LWS resource whose lifetime is bound to a primary resource</td></tr>
<tr><td>Linkset Resource</td><td>An auxiliary resource conforming to RFC9264</td></tr>
<tr><td>Metadata Resource</td><td>An auxiliary resource, managed by a storage, that describes an LWS resource</td></tr>
<tr><td>Storage Root</td><td>The container at the root of a containment hierarchy of a storage</td></tr>
<tr><td>Storage Description</td><td>Enumerates the storage root and the services/capabilities of a storage</td></tr>
</tbody>
</table>
</p>

</section>

</section>
<section id="terminology">
<h2>Terminology</h2>
<p>
Expand Down Expand Up @@ -203,7 +329,7 @@ <h2>Terminology</h2>

<div class="issue atrisk" title="Section may be removed">
<p>
This specification defines <a>operations</a> on <a>served resources</a>, the resulting change of state, and a <a>response</a> intended to give the <a>requesting agent</a> requested infomation or inform them of the outcome of the <a>operation</a>.
This specification defines <a>operations</a> on <a>served resources</a>, the resulting change of state, and a <a>response</a> intended to give the <a>requesting agent</a> requested information or inform them of the outcome of the <a>operation</a>.
An <dfn>operation</dfn> is any of the following actions that can be performed on a <a>served resource</a>:
</p>
<ul>
Expand All @@ -214,7 +340,7 @@ <h2>Terminology</h2>
</ul>

<p>
The folowing section will describe the semantics and <dfn>responses</dfn> of these operations but the following <dfn>core responses</dfn> apply to any operation:
The following section will describe the semantics and <dfn>responses</dfn> of these operations but the following <dfn>core responses</dfn> apply to any operation:
</p>
<ul>
<li><dfn>success</dfn> - the operation is believed to have completed. This may be accompanied by a <dfn>resource representation</dfn> conveying the contents of a <a>served resource</a>. A <a>success</a> response is not defined for the <a>create resource</a> operation. See instead <a href="#dfn-created">created</a>.</li>
Expand Down
Loading